Solved

Terminal services connect from Win2k client using port 90 or 21

Posted on 2006-11-17
26
345 Views
Last Modified: 2008-01-09
Hi,

I have a client running Win2k machines on a large company network that only allows connecting via the Internet through ports 80 and 21 and their local IT department cannot change this restriction.  I want them to be able to connect to my SBS 2003, which is on a separate network, via Terminal Services.

They can get to the Remote Web Wokplace on my server and see the server name but when they click the Connect button they get an error message.  Their IT department says it is because my terminal server uses port 3389.  I have tested connecting to my SBS server using a Win2k PC not on their network and it works fine and they have done the same and say it works fine.

Is there a way to get around this problem.

Thanks,
 
0
Comment
Question by:merdeka
  • 11
  • 8
  • 4
  • +1
26 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Remote Web Workplace WOULD be the way to go in this situation.  It uses port 443 for the outbound, which I'm sure they allow (because that's the SSL port for HTTP - 80).

It would be very helpful though if you provided exactly what error message displays, because describing the problem as "they get an error message" doesn't give us much to go on.

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi Jeff,

I realize the error message should have been included but I can't reproduce it here so I have to wait until Monday to get it from them.  I wanted them to be able to connect to my companyweb but they couldn't get past SSL port 444 (I don't know if this is relevant).  I'll try to get the error message for you next week.

Thanks for the quick reply.

John
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Actually that is true... if you connect to Companyweb you'll need to be able to have outbound access through 444 and connecting to remote desktops will require outbound access through port 4125 (not 3389 as the IT department suspected, because SBS uses an RDP proxy).

So... If those can't be made available... I'd suggest that you look into something like www.logmein.com which will run all traffic through 80 and 443.

Jeff
TechSoEasy
0
 
LVL 6

Assisted Solution

by:manicsquirrel
manicsquirrel earned 63 total points
Comment Utility
If you really want to give them this functionality, then it is quite easy for you to compensate.  You'll have to give up some flexibility though, and you'll have to designate only one computer for them to access directly using the Remote Desktop Client.  I'm going to assume you are not using ISA for your NAT routing bu rather RRAS.  If so, then make these changes.

Set a DHCP reservation for the target computer:
1. Right-click on My Computer and select Manage from the popup menu
2. Expand Services and Applications
3. Expand your scope
4. Expand Reservations
5. From the Action menu, select New Reservation
6. In the New Reservation dialog box enter a descriptive name for the reservation
7. Enter the IP address for the target computer.
8. Enter the MAC ID of the target computer's network card
9. Select the DHCP radio button
10. Click OK

Adjust the routing:
1. Right-click on My Computer and select Manage from the popup menu
2. Expand Services and Applications
3. Expand Routing and Remote Access
4. Expand IP Routing
5. Click on NAT/Basic Firewall
6. In the right-hand panel, right click on Network Connection (if you have renamed the connection, it would be your external or WAN NIC), select Properties from the popup menu
7. In the Network Connection Properties dialog box, click on the Services and Ports tab
8. Select the FTP Server entry and click the edit button.
9. Enter the private ip address for the target computer.
10. Click OK, Click OK

Change the listening port for Remote Desktop for the target computer:
1.  Using either regedit.exe locally on the target computer or on the server with Connect Network Registry, open the following key on the target computer: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
2. Change the REG_DWORD "PortNumber" value from 3389 to 21

There are two caveats:  You cannot run FTP services over port 21 any longer (if you even are) and this computer will no longer be accessible from RWW, you will have to connect directly through the Remote Desktop Client.  For Win2k you'll have to download the client at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=80111f21-d48d-426e-96c2-08aa2bd23a49&DisplayLang=en.    

On a Win2k box, it will install at Start->Programs->Accessories->Comminications->Remote DesktopClient.  Or from the run box type "mstsc" (without quotes) .In the Remote Desktop Client, at the "Computer:" textbox where you would type an ip address or fqdn, you'll have to append ":21" (a colon and the port number).  So your address would look like xxx.xxx.xxx.xxx:21 .

After you reboot the target computer, you and your customer should now be able to traverse their system's restriction.  It's not a perfect answer, but a usable one nonetheless.

If you don't like that option, I have another one involving a VNC Proxy/Repeater Server.  Let me know.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Hmmm... that's a great idea... one other thought.  Port 4125 is used for Remote Web Workplace.  That port as well can be modified to use port 21 instead.  The only problem I see with this is that it would also need port 444.  Generally if port 21 is allowed outbound access though, port 22 is as well since this would be the SSH port (equal to what 443 is to port 80).

Worth looking at.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
Comment Utility
Unfortunately, RRAS does not let you change the deafult port settings for HTTP, HTTPS, or FTP.  I found a hack once that would enable the textbox so you could change it, but I can't find it now.  

I don't think port 444 is necessary unless you are accessing the internal business website, i.e. the sharepoint site is made available.  If you go straight to /exhcnage or /remote it doesn't use 444 does it?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Yeah, it does... I didn't think so, but after reading his request yesterday wanting users to be able to access the companyweb I tested it.  You can easily see what's happening by running a netstat command while using RWW.

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi,

We use ftp all of the time so I don't want to give that up also, at first at least, I would like the program they run to be on my server running through terminal server.  

I tried LogMeIn and it works fine but it controls the desktop of the server rather than start a terminal server session.  I don't think this will work for me because I would like to have three users running my software on the server concurrently so, obviously, they can't all share the same desktop.

Thanks,
John

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Well, wait a minute... you can't run Terminal Services in application mode on an SBS 2003!  You would need a separate Terminal Server.

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
I suggest either installing a new 2003 server as an RDP app server or looking at WinConnectXP at ThinSoftInc.com. Combine ManicSquirrel's solution with what ThinSoft has to offer.
0
 

Author Comment

by:merdeka
Comment Utility
Hi,

If necessary I will get another server but I have run this server in application mode (I assume what you mean is running an application remotely on the server) however I have done this using the Admin account.  I don't know if it will work using a regular TS licence but I was told that it will.  Microsoft recommends not doing it for security reasons.

I don't know what the security risks are or if there are other reasons (not that security is not a major concern).

I will check-out the ThinSoft possibility.

Thanks,
John
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
SBS won't run application mode. It's hardwired not to. The only option would be to put users in the Domain Admins group and then you'd still be limited to the two sessions allowed. I've never heard of anyone getting around it.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Well, what "Application Mode" means for Terminal Services is that you can install applications which can then be used simultaneously by multiple users, each logging in to a separate desktop on the same server.  SBS does NOT allow this.  Period.

The administrative logins to SBS are only able to administer the server.   You definitely don't want to provide Administrator privileges.

Can you really be serious about security not being a major concern?  How much time are you spending just setting this up?  Do you want just anyone to be able to hack into your server and not only access what's there, but to majorly screw it up?

Be cautious of the WinConnectXP.  While it will provide multiple remote desktops on a WindowsXP machine, each instance requires a separate Windows XP license and they don't make that clear in their literature.  Also, many applications will not run under WinConnectXP.

Jeff
TechSoEasy
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:merdeka
Comment Utility
Hi Jeff,

I said security is a major concern and I have had a couple of non-related security problems so I want to be cautious.  

I am not going to provide Admin priveledges to anybody, I just tried it out to see if it works.  I can run the same program (my program that I want this company's users to use) in two different workspaces by logging in twice as administrator so I assume that when I buy terminal server licences I can do the same using the restricted priviledges of a typical user.

What I am trying to do now is find something that works and then if I need more hardware or whatever I will get it but I don't want to buy it and then discover that I have just wasted time and money.

Assuming Shack-Daddy is correct I will have to get another server but what I have read is that I will need another SBS so I am confused as to how a second SBS will help if the first one won't run in application mode unless there is a way to setup SBS to run in application mode and the other to run in server mode.

Tomorrow I will check the ThinSoft.  

Thanks for your comments,
John  
0
 
LVL 6

Expert Comment

by:Shack-Daddy
Comment Utility
You can't use another SBS. Only one can exist per domain. But you can add another 2003 server as a member of the domain and even make it a DC if you want (I wouldn't). You would then turn on application mode on the new server, put in the codes for a 5-TS CAL pack, and install your app. Then your users could log onto it with their existing domain accounts (even via RWW) and run the app.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 62 total points
Comment Utility
Sorry, I misread your security comment.

No, you cannot just buy Terminal Server licenses for an SBS.  I thought that was clear.

If you want to run a Terminal Server on your network, then you need to add a Standard Windows Server 2003 for this purpose.  Please see http://sbsurl.com/sbstss for info.  You could also do this virtually... http://sbsurl.com/vs has info on that.

But this has gotten WAY off of your original question regarding getting through on specific ports...

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi Jeff,

OK I can see you are right from the attached article.  

I had asked this question of the computer software dealer where I intended to by the Terminal Server licences and I was told there was no problem and if I wanted to I could run Terminal Server on my SBS or install another SBS and run TS on that.  He actually suggested that I not bother with a second server even though I knew MS recommended it (maybe more than recommended it).

I appologize for my ignorance.  

I assume what you are saying is that adding another server is a different world and even if I could run this app on my server remotely using my Admin account from this company's network PC it wouldn't advance my cause.

Thanks,
John    

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Well, it's a good thing that you didn't listen to him about the second server either!!!  Because you can't add a second SBS to your network... there can only be ONE SBS.  The additional server would have to be a Windows Server 2003 standard edition.

And I'm sorry, but I totally don't understand your last comment about "a different world".

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi Jeff,

What I meant is there is no point in seeing if I can run the program on my SBS because whatever we find that does work may not be applicable to the SBS 2003 + Serever 2003 configuration.

John
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
That is true, basically.  I wouldn't install it on your SBS as a test, if that's what you are saying.  Unless you create a LAB instance of your SBS (one that is not your production server).

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi Jeff,

I wasn't going to install anything on the SBS (after your comment about SBS being unable to support Terminal Server).  

I wonder if I can run the software on my SBS from the other company's PC if that would be a worthwile experiment in determining if I could run it on an new Server 2003.  In other words, will this get me over one hurdle on my way to getting the whole thing working or is the situation with the new Server 2003 so different that experimenting with the SBS is a waste of time?

Thanks,
John
0
 
LVL 6

Expert Comment

by:manicsquirrel
Comment Utility
What is it that you are wanting to run that your clients need access to it as well?  I don't really understand the situation.  I would never let a client into my network.  What are you trying to accomplish?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Does the software have to run on an actual server operating system?  Or can it run on XP acting as a server for just that program?

Jeff
TechSoEasy
0
 
LVL 6

Expert Comment

by:manicsquirrel
Comment Utility
I'm sorry, we are get way off on the original question.  Let me redirect.  Can you determine if port 8080 or 8443 outgoing is blocked by your customers network.  These are common web ports used for remote web management of some network devices.  It might also be worth the effort to ask them for a list of open port and available SSL tunnels that they support.  THen we could decide what port number to change 444 to and then you could continue to work seemlessly and so could your customer.

Otherwise, I believe my first comment answers your question explicity.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Well, I stated that we got way off topic a couple of days ago and thought we were really done with the original issue.  (In which case this question should be closed).

Jeff
TechSoEasy
0
 

Author Comment

by:merdeka
Comment Utility
Hi Manicsquirrel and Jeff,

It seems like the question has become what is the question.  I will check on the ports as requested.

The client can run our database on their server and this would normally solve the problem but we are still doing some development work.  We would like to have more control over the database so we can be more responsive to their needs also some of their users will be in remote locations part time and some full time.  The programmers are also in remote locations.

Thanks,
John    
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now